CVE-2026-7249
Received Received - Intake
Location Weather Plugin WordPress Authenticated Data Modification Vulnerability

Publication date: 2026-05-22

Last updated on: 2026-05-22

Assigner: Wordfence

Description
The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-22
Last Modified
2026-05-22
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-7249
EUVD
EUVD-2026-31404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shapedplugin location_weather to 3.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The Location Weather plugin for WordPress has a vulnerability due to missing capability checks in two functions: splw_update_block_options() and lwp_clean_weather_transients().

This flaw allows authenticated users with Contributor-level access or higher to modify data without proper authorization.

Specifically, these users can disable all weather blocks on the site and purge all cached weather data (weather cache transients).

The nonce (a security token meant to prevent unauthorized actions) required for these operations is exposed to all authenticated users via wp_localize_script() on the init hook, making exploitation easier.

Impact Analysis

This vulnerability can impact you by allowing users with Contributor-level access or above to disable all weather blocks on your WordPress site.

Additionally, they can purge all cached weather data, which may degrade the user experience by removing weather information and causing delays as data is re-fetched.

While it does not allow data theft or site takeover, it can disrupt the functionality of the weather features on your site.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Location Weather plugin to a version later than 3.0.2 where the missing capability checks have been fixed.

If an update is not immediately available, restrict Contributor-level and above users from accessing or modifying weather blocks and cache transients until a patch is applied.

Monitor authenticated user actions related to weather blocks and cache purging to detect any unauthorized modifications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart